Creating a User in Domain

Posted: January 10, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,


You want to create a user object.


Using a graphical user interface
  1. Open the ADUC snap-in.
  2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
  3. In the left pane, browse to and select the container where the new user should be located and select New User.
  4. Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.
  5. Enter and confirm password, set any of the password flags, and click Next.
  6. Click Finish.
Using a command-line interface

You can create a user with the built-in DSAdd utility or by using AdMod. Using DSAdd requires the following syntax:

        > dsadd user "<UserDN>" -upn <UserUPN> -fn "<UserFirstName>"
        -ln "<UserLastName>" -display "<UserDisplayName>" -pwd <UserPasswd>

To create a user account with AdMod, use the following syntax:

        > admod b "<UserDN>" add objectClass::user
           sAMAccountName::<SAMAccount> unicodepwd::<password> userAccountControl::512
Using VBScript
        ' Taken from ADS_USER_FLAG_ENUM
        Const ADS_UF_NORMAL_ACCOUNT = 512

        set objParent = GetObject("LDAP://<ParentDN>")
        set objUser = objParent.Create("user", "cn=<UserName>") ' e.g. joes
        objUser.Put "sAMAccountName", "<UserName>"   ' e.g. joes
        objUser.Put "userPrincipalName", "<UserUPN>" ' e.g.
objUser.Put "givenName", "<UserFirstName>"       ' e.g. Joe
        objUser.Put "sn", "<UserLastName>"           ' e.g. Smith
        objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g. Joe Smith
        objUser.AccountDisabled = FALSE
        objUser.Put " 
userAccountControl", ADS_UF_NORMAL_ACCOUNT


The only mandatory attribute that must be set when creating a user is sAMAccountName, which is the account name that is used to interoperate with downlevel domainsand even this attribute is only mandatory in Windows Server 2003. To make the account immediately available for a user to use, you’ll need to make sure the account is enabled, which is accomplished by setting userAccountControl to 512 after you’ve set a password that follows any password complexity rules in place for the domain (order is important in this case).If you only set the sAMAccountName when creating a user object, the account will be disabled by default.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s